2017-02-18 00:52:16 -05:00
|
|
|
# frozen_string_literal: true
|
2009-07-30 01:34:02 -04:00
|
|
|
require 'test/unit'
|
|
|
|
|
require 'cgi'
|
|
|
|
|
require 'stringio'
|
2015-03-12 10:57:33 -04:00
|
|
|
require_relative 'update_env'
|
2009-07-30 01:34:02 -04:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class CGIUtilTest < Test::Unit::TestCase
|
2013-05-03 07:23:23 -04:00
|
|
|
include CGI::Util
|
2015-03-12 10:57:33 -04:00
|
|
|
include UpdateEnv
|
2009-07-30 01:34:02 -04:00
|
|
|
|
|
|
|
|
def setup
|
2015-03-12 10:57:33 -04:00
|
|
|
@environ = {}
|
|
|
|
|
update_env(
|
|
|
|
|
'REQUEST_METHOD' => 'GET',
|
|
|
|
|
'SCRIPT_NAME' => nil,
|
|
|
|
|
)
|
2017-02-18 00:52:16 -05:00
|
|
|
@str1="&<>\" \xE3\x82\x86\xE3\x82\x93\xE3\x82\x86\xE3\x82\x93".dup
|
2009-12-22 19:14:48 -05:00
|
|
|
@str1.force_encoding("UTF-8") if defined?(::Encoding)
|
2009-07-30 01:34:02 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def teardown
|
2015-03-12 10:57:33 -04:00
|
|
|
ENV.update(@environ)
|
2009-07-30 01:34:02 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_cgi_escape
|
|
|
|
|
assert_equal('%26%3C%3E%22+%E3%82%86%E3%82%93%E3%82%86%E3%82%93', CGI::escape(@str1))
|
2009-12-22 19:14:48 -05:00
|
|
|
assert_equal('%26%3C%3E%22+%E3%82%86%E3%82%93%E3%82%86%E3%82%93'.ascii_only?, CGI::escape(@str1).ascii_only?) if defined?(::Encoding)
|
2009-07-30 01:34:02 -04:00
|
|
|
end
|
|
|
|
|
|
2017-05-17 08:34:59 -04:00
|
|
|
def test_cgi_escape_with_unreserved_characters
|
2017-05-18 11:13:30 -04:00
|
|
|
assert_equal("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~",
|
|
|
|
|
CGI::escape("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~"),
|
2017-05-17 08:34:59 -04:00
|
|
|
"should not escape any unreserved characters, as per RFC3986 Section 2.3")
|
|
|
|
|
end
|
|
|
|
|
|
2012-01-20 06:48:52 -05:00
|
|
|
def test_cgi_escape_with_invalid_byte_sequence
|
|
|
|
|
assert_nothing_raised(ArgumentError) do
|
2017-02-18 00:52:16 -05:00
|
|
|
assert_equal('%C0%3C%3C', CGI::escape("\xC0\<\<".dup.force_encoding("UTF-8")))
|
2012-01-20 06:48:52 -05:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2012-01-22 20:09:06 -05:00
|
|
|
def test_cgi_escape_preserve_encoding
|
2017-02-18 00:52:16 -05:00
|
|
|
assert_equal(Encoding::US_ASCII, CGI::escape("\xC0\<\<".dup.force_encoding("US-ASCII")).encoding)
|
|
|
|
|
assert_equal(Encoding::ASCII_8BIT, CGI::escape("\xC0\<\<".dup.force_encoding("ASCII-8BIT")).encoding)
|
|
|
|
|
assert_equal(Encoding::UTF_8, CGI::escape("\xC0\<\<".dup.force_encoding("UTF-8")).encoding)
|
2012-01-22 20:09:06 -05:00
|
|
|
end
|
|
|
|
|
|
2009-07-30 01:34:02 -04:00
|
|
|
def test_cgi_unescape
|
2017-02-02 02:03:59 -05:00
|
|
|
str = CGI::unescape('%26%3C%3E%22+%E3%82%86%E3%82%93%E3%82%86%E3%82%93')
|
|
|
|
|
assert_equal(@str1, str)
|
|
|
|
|
return unless defined?(::Encoding)
|
|
|
|
|
|
|
|
|
|
assert_equal(@str1.encoding, str.encoding)
|
2010-10-13 09:39:13 -04:00
|
|
|
assert_equal("\u{30E1 30E2 30EA 691C 7D22}", CGI.unescape("\u{30E1 30E2 30EA}%E6%A4%9C%E7%B4%A2"))
|
2009-07-30 01:34:02 -04:00
|
|
|
end
|
|
|
|
|
|
2012-01-22 20:09:06 -05:00
|
|
|
def test_cgi_unescape_preserve_encoding
|
2017-02-18 00:52:16 -05:00
|
|
|
assert_equal(Encoding::US_ASCII, CGI::unescape("%C0%3C%3C".dup.force_encoding("US-ASCII")).encoding)
|
|
|
|
|
assert_equal(Encoding::ASCII_8BIT, CGI::unescape("%C0%3C%3C".dup.force_encoding("ASCII-8BIT")).encoding)
|
|
|
|
|
assert_equal(Encoding::UTF_8, CGI::unescape("%C0%3C%3C".dup.force_encoding("UTF-8")).encoding)
|
2012-01-22 20:09:06 -05:00
|
|
|
end
|
|
|
|
|
|
2017-02-02 03:02:36 -05:00
|
|
|
def test_cgi_unescape_accept_charset
|
|
|
|
|
return unless defined?(::Encoding)
|
|
|
|
|
|
|
|
|
|
assert_raise(TypeError) {CGI.unescape('', nil)}
|
2017-05-05 21:33:04 -04:00
|
|
|
assert_separately(%w[-rcgi/util], "#{<<-"begin;"}\n#{<<-"end;"}")
|
|
|
|
|
begin;
|
|
|
|
|
assert_equal("", CGI.unescape(''))
|
|
|
|
|
end;
|
2017-02-02 03:02:36 -05:00
|
|
|
end
|
|
|
|
|
|
2009-07-30 03:39:09 -04:00
|
|
|
def test_cgi_pretty
|
|
|
|
|
assert_equal("<HTML>\n <BODY>\n </BODY>\n</HTML>\n",CGI::pretty("<HTML><BODY></BODY></HTML>"))
|
|
|
|
|
assert_equal("<HTML>\n\t<BODY>\n\t</BODY>\n</HTML>\n",CGI::pretty("<HTML><BODY></BODY></HTML>","\t"))
|
|
|
|
|
end
|
|
|
|
|
|
2012-07-17 19:04:46 -04:00
|
|
|
def test_cgi_escapeHTML
|
2015-12-20 06:31:22 -05:00
|
|
|
assert_equal("'&"><", CGI::escapeHTML("'&\"><"))
|
2012-07-17 19:04:46 -04:00
|
|
|
end
|
|
|
|
|
|
2015-12-22 00:31:31 -05:00
|
|
|
def test_cgi_escape_html_duplicated
|
2017-02-18 00:52:16 -05:00
|
|
|
orig = "Ruby".dup.force_encoding("US-ASCII")
|
2015-12-22 00:31:31 -05:00
|
|
|
str = CGI::escapeHTML(orig)
|
|
|
|
|
assert_equal(orig, str)
|
|
|
|
|
assert_not_same(orig, str)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def assert_cgi_escape_html_preserve_encoding(str, encoding)
|
|
|
|
|
assert_equal(encoding, CGI::escapeHTML(str.dup.force_encoding(encoding)).encoding)
|
|
|
|
|
end
|
|
|
|
|
|
2015-12-20 06:54:54 -05:00
|
|
|
def test_cgi_escape_html_preserve_encoding
|
2015-12-22 00:31:31 -05:00
|
|
|
Encoding.list do |enc|
|
|
|
|
|
assert_cgi_escape_html_preserve_encoding("'&\"><", enc)
|
|
|
|
|
assert_cgi_escape_html_preserve_encoding("Ruby", enc)
|
|
|
|
|
end
|
2015-12-20 06:54:54 -05:00
|
|
|
end
|
|
|
|
|
|
2015-12-21 15:40:02 -05:00
|
|
|
def test_cgi_escape_html_preserve_tainted
|
2017-02-18 00:52:16 -05:00
|
|
|
assert_not_predicate CGI::escapeHTML("'&\"><"), :tainted?
|
|
|
|
|
assert_predicate CGI::escapeHTML("'&\"><".dup.taint), :tainted?
|
|
|
|
|
assert_not_predicate CGI::escapeHTML("Ruby"), :tainted?
|
|
|
|
|
assert_predicate CGI::escapeHTML("Ruby".dup.taint), :tainted?
|
2015-12-21 15:40:02 -05:00
|
|
|
end
|
|
|
|
|
|
2015-12-22 00:31:31 -05:00
|
|
|
def test_cgi_escape_html_dont_freeze
|
|
|
|
|
assert_not_predicate CGI::escapeHTML("'&\"><".dup), :frozen?
|
|
|
|
|
assert_not_predicate CGI::escapeHTML("'&\"><".freeze), :frozen?
|
|
|
|
|
assert_not_predicate CGI::escapeHTML("Ruby".dup), :frozen?
|
|
|
|
|
assert_not_predicate CGI::escapeHTML("Ruby".freeze), :frozen?
|
2015-12-21 15:40:02 -05:00
|
|
|
end
|
|
|
|
|
|
2012-07-17 19:04:46 -04:00
|
|
|
def test_cgi_unescapeHTML
|
2015-12-20 06:31:22 -05:00
|
|
|
assert_equal("'&\"><", CGI::unescapeHTML("'&"><"))
|
2012-07-17 19:04:46 -04:00
|
|
|
end
|
|
|
|
|
|
2016-02-14 03:52:38 -05:00
|
|
|
def test_cgi_unescapeHTML_invalid
|
|
|
|
|
assert_equal('&<&>"&abcdefghijklmn', CGI::unescapeHTML('&<&>"&abcdefghijklmn'))
|
|
|
|
|
end
|
|
|
|
|
|
2016-02-06 08:31:07 -05:00
|
|
|
Encoding.list.each do |enc|
|
|
|
|
|
begin
|
|
|
|
|
escaped = "'&"><".encode(enc)
|
|
|
|
|
unescaped = "'&\"><".encode(enc)
|
|
|
|
|
rescue Encoding::ConverterNotFoundError
|
|
|
|
|
next
|
|
|
|
|
else
|
|
|
|
|
define_method("test_cgi_escapeHTML:#{enc.name}") do
|
|
|
|
|
assert_equal(escaped, CGI::escapeHTML(unescaped))
|
|
|
|
|
end
|
|
|
|
|
define_method("test_cgi_unescapeHTML:#{enc.name}") do
|
|
|
|
|
assert_equal(unescaped, CGI::unescapeHTML(escaped))
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2016-04-20 04:33:33 -04:00
|
|
|
Encoding.list.each do |enc|
|
|
|
|
|
next unless enc.ascii_compatible?
|
|
|
|
|
begin
|
|
|
|
|
escaped = "%25+%2B"
|
|
|
|
|
unescaped = "% +".encode(enc)
|
|
|
|
|
rescue Encoding::ConverterNotFoundError
|
|
|
|
|
next
|
|
|
|
|
else
|
|
|
|
|
define_method("test_cgi_escape:#{enc.name}") do
|
|
|
|
|
assert_equal(escaped, CGI::escape(unescaped))
|
|
|
|
|
end
|
|
|
|
|
define_method("test_cgi_unescape:#{enc.name}") do
|
|
|
|
|
assert_equal(unescaped, CGI::unescape(escaped, enc))
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2013-04-08 00:06:39 -04:00
|
|
|
def test_cgi_unescapeHTML_uppercasecharacter
|
2015-12-20 06:31:22 -05:00
|
|
|
assert_equal("\xE3\x81\x82\xE3\x81\x84\xE3\x81\x86", CGI::unescapeHTML("あいう"))
|
2013-04-08 00:06:39 -04:00
|
|
|
end
|
|
|
|
|
|
2013-05-03 07:23:23 -04:00
|
|
|
def test_cgi_include_escape
|
|
|
|
|
assert_equal('%26%3C%3E%22+%E3%82%86%E3%82%93%E3%82%86%E3%82%93', escape(@str1))
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def test_cgi_include_escapeHTML
|
2015-12-20 06:31:22 -05:00
|
|
|
assert_equal("'&"><", escapeHTML("'&\"><"))
|
2013-05-03 07:23:23 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def test_cgi_include_h
|
2015-12-20 06:31:22 -05:00
|
|
|
assert_equal("'&"><", h("'&\"><"))
|
2013-05-03 07:23:23 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def test_cgi_include_unescape
|
2017-02-02 02:03:59 -05:00
|
|
|
str = unescape('%26%3C%3E%22+%E3%82%86%E3%82%93%E3%82%86%E3%82%93')
|
|
|
|
|
assert_equal(@str1, str)
|
|
|
|
|
return unless defined?(::Encoding)
|
|
|
|
|
|
|
|
|
|
assert_equal(@str1.encoding, str.encoding)
|
2013-05-03 07:23:23 -04:00
|
|
|
assert_equal("\u{30E1 30E2 30EA 691C 7D22}", unescape("\u{30E1 30E2 30EA}%E6%A4%9C%E7%B4%A2"))
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def test_cgi_include_unescapeHTML
|
2015-12-20 06:31:22 -05:00
|
|
|
assert_equal("'&\"><", unescapeHTML("'&"><"))
|
2013-05-03 07:23:23 -04:00
|
|
|
end
|
2014-03-21 17:46:17 -04:00
|
|
|
|
|
|
|
|
def test_cgi_escapeElement
|
|
|
|
|
assert_equal("<BR><A HREF="url"></A>", escapeElement('<BR><A HREF="url"></A>', "A", "IMG"))
|
|
|
|
|
assert_equal("<BR><A HREF="url"></A>", escapeElement('<BR><A HREF="url"></A>', ["A", "IMG"]))
|
|
|
|
|
assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', "A", "IMG"))
|
|
|
|
|
assert_equal("<BR><A HREF="url"></A>", escape_element('<BR><A HREF="url"></A>', ["A", "IMG"]))
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_cgi_unescapeElement
|
|
|
|
|
assert_equal('<BR><A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
|
|
|
|
|
assert_equal('<BR><A HREF="url"></A>', unescapeElement(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
|
|
|
|
|
assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), "A", "IMG"))
|
|
|
|
|
assert_equal('<BR><A HREF="url"></A>', unescape_element(escapeHTML('<BR><A HREF="url"></A>'), ["A", "IMG"]))
|
|
|
|
|
end
|
2009-07-30 01:34:02 -04:00
|
|
|
end
|
